bennetyee
commented
5 years ago A better, more subtle attack would be to not automatically vote, but to make it so that whatever the user's choice is, the vote is nevertheless cast for the candidate of the adversary's choice. The metamask interaction will be the same as normal.
https://github.com/oasislabs/secret-ballot/blob/9294f5a3dc13d129e477c7862476c028acb30aa2/app/javascripts/app.js#L113
It appear to be possible to create a ballot where one of the candidate's name is actually an XSS (or stored XSS) that allows me to inject JS that would, for example, make the user vote for a candidate of my choice instead of theirs. The user's metamask wallet would have to be already unlocked, probably, or else the prompt to unlock the wallet when the user is not intending to vote might raise suspicions, and coupled with the fact that it is easy to determine candidates names and that only the ballot creator can specify candidate names, the audit trail will be pretty obvious (as long as the ballot creator is not a burner wallet address, used to create some click-bait ballot).
I'm not sure where the web form for the ballots are hosted. The stored XSS would allow access of any cookies from that site, etc, so is of independent interest from vote fraud. Anyway, there are frameworks that include code that makes escaping user-inputs easy; I think react.js is one such, but it also includes a lot of other stuff that might not be needed here.